Reporters can manage issue boards

HackerOne report #736586 by ashish_r_padelkar on 2019-11-13, assigned to @jeremymatos:

Summary

Hello,

I reported similar report before #529944 and it was resulted in documentation change.

I am not sure if this documentation https://gitlab.com/help/user/permissions#issue-board-permissions is recently changed or it was there before too but would like to report it anyways.

The documentation here at https://gitlab.com/help/user/permissions#issue-board-permissions says

Developers and users with higher permission level can use all the functionality of the Issue Board, that is create/delete lists and drag issues around Which is not correct. Reporters can still manage issue boards

Steps to reproduce

1. Login as Reporter within a project and you are allowed to manage issue boards.

What is the current bug behavior?

Reporters can manage issue boards which contradicts the documentation

What is the expected correct behavior?

If its a intended behaviour, this should just be a documentation change like #529944. But if this is recent product changes, then proper permissions should be applied as mentioned in the documentation

Output of checks

This bug happens on GitLab.com and might be on omnibus installations too. I tested this on Gitlab.com

Regards,
Ashish

Impact

Reporters can manage issue boards